Navigation

User menu

You are here

Oracle CPU October 2017 - Java (WAF and Login/IAM)

Submitted on 18. October 2017 - 10:55 by rischi.Last update on 20. October 2017 - 19:22.

Keywords:

java, cpu, Oracle Critical Patch Update

Description:

The Oracle Critical Patch Update for October 2017 includes updates for Java SE [1] that fix several vulnerabilities.

Airlock WAF uses Java in the Configuration Center and in several add-on modules.

Airlock Login/IAM relies on a separately installed Java environment. This Java runtime environment is maintained by the system administrator.

Airlock WAF and Login/IAM are not affected.

Details

CVE-2017-10388
Affects the Java Kerberos client, which is not used in Airlock WAF and Login/IAM. The Airlock Suite is therefore not vulnerable.

CVE-2017-10281
Affects Java deserialization. Airlock WAF and Login/IAM are not affected because deserialization is only performed on trusted data.

CVE-2017-10295
Affects applications using HttpURLConnection with attacker controlled URLs. Airlock WAF and Login/IAM are not affected because the URLs used with HttpURLConnection are trusted.

CVE-2017-10356
Affects Java Keystores and may allow password guessing attacks. Airlock WAF does not use Java Keystore files and is therefore not affected. The keystore files used by Airlock Login/IAM reside on the server and are therefore in a protected environment.

CVE-2017-10345
Affects Java Keystores and may allow high memory consumption. Airlock WAF does not use Java Keystore files and is therefore not affected. As Airlock Login/IAM only reads trusted Keystore files, it is not vulnerable.

CVE-2017-10355
Affects Java applications establishing an FTP connection. FTP is not used in Airlock WAF and Airlock Login/IAM.